January 31st, 2011

February 13th, 2009

I haven’t finished the code to implement this idea yet. I’m forced to show my hand since today is the last day in On Ruby’s CouchDB Contest .

A bloom filter is data structure with some very cool properties. It’s very compact and performant. It represents an approximation to set membership. That is, it represents a collection of elements without storing the elements. A oft quoted example is that of a dictionary—one can encode every word in the dictionary (taking up a lot of space) into a substantially smaller bloom filter. This comes with a cost, when a bloom filter says an element is not in the set, it’s not in the set. However, when a bloom filter says that an element is in the set, it could be wrong, but the expected probability of it lying can be ascertained from the size of the bloom filter and how many hashes it utilizes.

Properties of Bloom Filters

Space efficient.

Speed efficient (constant time adding elements, constant time query).

Uses k hashing functions (where k is the user selected number of hashing functions to use, determines how accurate the filter is).

Combinable. The union of two bloom filters of the same length and same k hashing functions is just the bit-wise OR of its bitfield.

Possible use cases

Besides the dictionary use case mentioned, bloom filters are used to great effect in distributed file systems and caches, as a quick ‘filter’ to determine if an element is in the cache or on disk, to avoid expensive computations. I’d like to be able to reconstitute a bloom filter as a javascript object. Then you could very quickly determine client-side set membership without querying the server.

Examples: could encode every WikiWord into a bloomfilter providing a very fast client-side test to see if a word should be linkable.

ISBN’s in a library: I’ve been meaning to hack together a Amazon powered better book search for my university, but how to efficiently determine if a particular book in a search of all books is at my local library without tons of API requests? I’d like to try a bloom filter encoding all books locally available.

Trying to avoid a Denial-of-Service attack. Say you’ve generated some large key space to keep your users data private but also shareable, (like the large random URL’s Google Reader uses). Someone could start guessing, and they’ll be guessing for a long time. Yes you should rate-limit them, but each request could possibly result in a database query too—why not use a bloom filter to quickly determine if that long random key is likely in your database without the performance hit?

I need to look into the replication code in CouchDB, I don’t know how it’s being implemented—but one CouchDB instance could furnish another instance a bloom filter representing the set of all documents and their versions in the database.

Javascript and Ruby encodings of bloom filters and bit fields

Peter Cooper coded up a ruby bloom filter and the ruby bit field that the bloom filter depends on. The bit field is implement as an array of 32-bit numbers. To index a specific bit you first look up the associated number in the array, then the bit offset into that number.

An array of numbers, easily expressible as JSON. A javascript class could easily use the JSON numeric array as the bitfield, as could Ruby or any other language.

Coming up with k hashing functions

So we’ve got bit fields, then we just need a hashing function. I’ve been looking for an excuse to use Bruce Schneier’s team submission to the NIST competition to determine the next standard hash (SHA3) called Skein. The H2 Database guys, in addition to a Java based version of the hash, provided us with a javascript implementation of Skein as well.

If you’ve got a good hashing function, you can use that hashing function to create more hashing functions, as many as you need in fact. The way I’m currently planning on doing this is to take a hash of the first hash, then a hash of the second hash etc. until there is enough keying material to produce k indexes.

Where CouchDB comes in

CouchDB implements views or calculated columns using map/reduce.

Map

The map function will take a document, specify the size of the bloom filter, and specify the number of hashes (k) to use in that bloom filter (or an estimate of how many elements you’ll add and the accuracy you’d like to attain). Then whatever property is desired out of the document can be iterated over and added to the bloom filter.

The map function will emit a JSON document with an array of numbers (representing the bit field), a property specifying which hashing function is being used (skein, md5, sha1 etc.) and the number of hashes calculated for each item.

Reduce

The reduce function will combine bloom filters, like union with a bitwise OR. After the reduce a query to CouchDB will return a result containing a bloom filter for whatever content you’re after. This result can be used client-side, in javascript, or server side in ruby or something.

Status

I’ve ported Peter Cooper’s ruby bit field to javascript. The bloom filter itself is partially implemented. I need to figure out how to add utility functions to CouchDB so that the bloom filter code can be easily used in any view. If anyone knows of a good javascript testing framework that works with SpiderMonkey from the command line I am all ears.

July 14th, 2008

One of the main problems, as I see it, with security research is the chicken and the egg. Let’s say you come up with a snazzy new protocol, but this protocol requires a smart client (or modification to a browser). Additionally, you have some identity providers that are not terribly difficult to develop, but are not deployed. Now, how do you justify deploying all these modifications or new service providers if there are no clients to take advantage of them? On the other hand, how do you justify upgrading all the clients to support a protocol that has no identity providers?

The real answer is that you compromise. Either you find some company whose business model can benefit directly from the technology and have them be a champion, and hope that you can get enough marketing (yes you heard me, marketing) and people interested that it creates some momentum and adoption.

One of the coolest protocols I’ve read about is SRP. It’s the bomb, really. Password based, strong cryptographic properties, mutual authentication—both the client AND the service provider are authenticated, phishing attacks to obtain your password are not an issue. I could go on, it’s got some serious coolness. Additionally, some work at BYU shows how it can be extended to make it solve a lot of problems that OpenID is aimed at, without the drawbacks. (Heck, it even allows you to delegate access to other users.)

Problem is, SRP and its extensions require a smart client, and modification of service providers. Chicken and the egg. Drat.

Thoughts:

I’m wondering if it can be adopted by compromise, by providing a signed java applet to perform the smart client responsibilities for wireless authentication.

Another thought, what if you could get one half of the problem solved, like getting widespread deployment of the smart client, the other side could very easily drop into place.

Early Adopters

Interesting tech is usually adopted by the geeks before it goes mainstream. Now, not all things the geeks embrace make it mainstream, but a lot of things mainstream were solidly in geek territory in the beginning. One way to get early adopters is to:

make a polished smart client for the linux desktop (gnome/kde)

on the server make your software as easy to use as an apache module etc.

The key is real solutions that at least the geeks can use today.

Ride Someone Else’s Coattails

OK. Everyone agrees that smart phones/smaller devices are going to be a key part of the foreseeable future. Why not use this trend to lift usable security mechanisms out of their academic tar pit? Just to be controversial I’m going to say Android is going to be huge. What if someone stepped up, and implemented this slick, efficient, just-what-the-doctor-ordered password smart client for the Android platform that happened to support SRP? Let’s say it took off like the iPhone, I think it is realistic to see broader adoption of SRP across the board if, in a year after launch there are 90 million installed clients with active users.

April 23rd, 2008

You’ve run in to this before. You’re at home, looking up some academic papers and you always run in to a couple that you can’t track down on the internet at large. You’ve got to get them from on of the major digital libraries. Sure, your university has a campus subscription—but you’re not on campus. You flounder trying to get something to work from the command line. No dice.

Here’s my trick.

Use SSH to set up a proxy back to your campus and send your web traffic through the campus network so that it looks like you’re on campus. I’ve got a Mac so ssh is easily available from the command line. I have gotten this to work using Putty on Windows though.

SSH supports SOCKS (a protocol for proxying traffic). It will open up a port locally (of your choosing) and any traffic to that local port will be carried over your secured ssh connection and come out the other side and the remote host you’re connected to will proxy all the data.

ssh -D 9000 username@cs.yourschool.edu

With this command ssh will listen on your localhost on port 9000. Configure Firefox to use a web proxy, Firefox -> Preferences -> Advanced Tab -> Network -> “Configure how Firefox connects to the Internet” . Choose the Manual proxy configuration radio button. For the SOCKS entry the host is, localhost, and the port is whatever you specified for the -D option (I used 9000). Hit OK and you’re done.

Firefox will now pipe all your web traffic over ssh to your remote server. You are now “on campus” as far as anyone looking at your origin IP address is concerned.

I’d turn off the proxy (just set it back to no proxy in Firefox’s settings) after downloading what you’re after to avoid any network delay.

This technique is sometimes useful in situations at conferences where the wireless is blocked on port 80, but not on port 22 (ssh’s port). This is completely unconfirmed—you didn’t hear it from me.

January 17th, 2008

I’m writing this down so I won’t forget.

First, there’s the utility “Grab” in Applications/Utilities. It doesn’t have a window, you use the program menu or the keyboard shortcuts. After you take a shot it pops up a window with the image that you can save anywhere you want. By default it outputs TIFF images.

My preferred method is to use the keyboard shortcuts built into OS X. It generates crisp PNG image files of the screen.

apple command key + shift + 3 will take a capture of the entire screen (or two captures if you’re running a dual-head setup) and automatically save it as a PNG file on your desktop. It will be named Picture 1.png, where the number is auto-incremented with each screenshot.

apple command key + shift + 4 changes your cursor into a bulls eye. Whatever you select ends up the same as before—a file with the same naming convention on the desktop.

apple command key + shift + 4 when you’ve got the bulls-eye cursor hit the space bar. It changes the icon to a camera. It takes a picture of the selected application window—the selected window will be highlighted in baby blue.

January 16th, 2008

Not eating enough fruit? Forgot to feed the fish again? Need a little help keeping your New Year’s resolutions?
Tell us what to hassle you about, and we’ll nag you via email at semi-unpredictable intervals.

I like the simplicity of it. I also like that you can configure a rough timing scheme. I could see myself configuring a ‘hassle’ everyday for only a short time. Either it would get ingrained into my head to do the thing everyday and I wouldn’t need the nagging anymore or it would be too much and the virtual nagging would become a little too real.

It would be fantastic for things that don’t happen quite as frequently. I know I’m no the only one that on occasion realizes that a month has passed by without me knowing.

Methinks the integration can go just a titch deeper – instead of just reminding, allow the notification to be actionable. For instance, if I mail you a reminder to blog, if you respond to the email, your response could be posted directly to your blog. Same goes for a journal.

An identity system with a delegation mechanism is really needed here. If I really want this service to post to my blog, well, I shouldn’t have to give it my blog password. I should be able to grant access to an application (the reminder service) to post a blog entry or whatever else without me disclosing my password. AtomPub can get us a lingua-franca to converse with all these web services, but it doesn’t provide the identity part.

January 16th, 2008

There are a lot of things going on over in Java-land that are bringing up the question, what exactly do you mean by Java? and what does the future of Java look like?

JRuby, Jython, Groovy and Rhino, these are all projects that show that Java as a language is not the future, but Java as a platform has a long and prosperous future.

On the other hand, Android is showing that the virtual machine isn’t the essential piece—it’s the syntax, the language. Android is using “java” but targeting their own virtual machine , dalvik instead of the JVM.

Which is it? I’m not sure. Both developments are heading in opposite directions, but both directions look promising. Conclusion: Java the platform|language|OS|whatever isn’t going away any time soon and what we think of as Java is definitely going to change.

January 15th, 2008

Most conferences are so boring. I want to do a conf on a hot subject when it’s still hot in the blogosphere. This may be a good subject for such a quickly organized conference.
What do you think of the flash conference idea for this??

I’ve never though about a flash conference before. Not just for this topic, but so many others as well.

January 14th, 2008

I use Google Scholar among other academic searches to find work related to my research. Other citation references supply a Bibtex entry for generating bibliographies. It wasn’t readily apparent to me, but Google Scholar does have this feature, you just have to turn it on.

Go into the Google Scholar Preferences and change the ‘Bibliography Manager’ to “show links to import citations into Bibtex”. Other options for bibliography management are: EndNote, RefMan, RefWorks, WenXianWang.

Oh and while you’re in there, set the results per page to something more reasonable like 50.

January 11th, 2008

At home we have a MacBook. My wife can’t stand using the trackpad—she’s got to have a mouse. For our anniversary I got her a Kensington bluetooth mouse. I wanted a bluetooth device because I didn’t want any USB receiver sticking out the side to get bumped or broken. Took all of 45 seconds to hook it up.

January 10th, 2008

I’m a big fan of Google Reader. Let’s just say I’m subscribed to more than a few feeds. I use the keyboard shortcuts to quickly read and scan through my reading list. To keep my pace I’ve come to open articles that I want to think about more, or ones that I want to read more in depth in background tabs. Usually this involves the laborious task of moving my hand from the keyboard and middle-clicking with the mouse. Painful. Time-wasting. Distracting.

Enough is enough, so I decided to create a Greasemonkey script to bind a keyboard shortcut to opening an article in a background tab. But, what magical javascript incantation is required to open a tab?

All the hard work goes to Sunny Wu who provided the solution. I tweaked his version to use the “h” character instead of “v”.

I wasn’t sure what kind of event this handler receives and so I wasn’t sure how to determine that a “h” was pressed. Firebug to the rescue, I just added the following line to just print out the value to the Firebug console.

console.info("key=", event.which);

Sidenote: Ever wonder what event is sent for crazy modifiers like shift+3 or shift+s? I thought it might be something complicated—where you’d check if modifier keys were pressed on the keyboard event. I was thinking too much. Shift+3 ends up sending a #, shift+s sends a capital S. Who would have thought?!

Just change the first “if” to compare against 104 instead of 118 and h is the man.

I changed to h since, well, first, v currently opens the article in another tab that immediately takes focus—handy at times. Second, well, if I use h instead, I can navigate mostly with just my right hand :)

January 9th, 2008

By default, on a Mac in Firefox, tab moves from one form element to another—except it will skip radio buttons, checkboxes and drop-down select boxes. I have suffered in silence since I started using the Mac. I finally found out that this too can be remedied. Hooray!

There is an actual setting in the Mac OS that produces this behavior. To change this so that tab treats all form elements with equality go to:
System Preferences -> Keyboard and Mouse and select the tab Keyboard Shortcuts. On the bottom you will see a setting for “Full Keyboard Access”. Just set it to All Controls. This setting will take effect right away, no need to restart Firefox.

November 19th, 2007

You know how a lot of people, when they post presentation slides, say that it’s really difficult to “get” the presentation from just the slides? Well I mean it. Seriously. My slides have very few words. If you’re still interested, be sure to check out the actual paper (pdf).

I don’t use PowerPoint or the like, instead I use a XUL application that runs in any Mozilla based-browser (like Firefox, Camino, Netscape etc.). In order to see the presentation, you’ll need to use one of those browsers.

This presentation was given at the Digital Identity Management Workshop of CCS in Virginia on 2 November 2007.

The essence of our argument is that there is a spectrum of authorization approaches.

no authorization

authentication as authorization (where you can do anything if you are only able to log in)

explicit authorization where someone has to manually grant access to another person.

The first two can be automated, no manual intervention required. The gap between the second and third is considerable.
We believe that reputation can be used to bridge that wide gap giving systems many characteristics of explicit authorization in an automated way, so that the system itself can be self scaling (in terms of authenticating users).

November 14th, 2007

The organizers have asked that if you’re coming to put your name on the wiki page

I’ve never been to a “Camp” before but I hear they are like “unconferences”. I go to the Internet Identity Workshop which is an unconference, and the results have been fantastic. Those who come are actively involved in the discussion, it’s quite refreshing.

I don’t know if I will present or not. I could lead a discussion and get people up to speed with the digital identity landscape—OpenID, CAS, InfoCard and some secret sauce :)

If you’re interested but a little put off that it is specifically about “Ruby” you should come anyway. Ruby is a good excuse to get together and rub elbows, it’s not an excuse to exclude interesting people or ideas.

November 14th, 2007

Yeah I know, this is supposed to be a technology blog. This one’s for posterity.

I get severe canker sores. Huge. They hurt. They are no fun. It’s technically called Apthous Stomatitis . I’ll get open canker sores about the size of a dime or worse that last for several weeks. That wikipedia link and other sites enumerate many attempted treatments. Some things that work for one person just has no positive effect for another. I’ve tried most of them and none of them seem to help.

When I was growing up, baking soda applied directly to the sore would help it heal faster. It hurt like heck though. My cankers get larger nowadays and the baking soda technique just hurts like crazy and doesn’t help at all.

My contribution to posterity is to merely document a treatment I heard about which has helped me. I got this home treatment from my cousin, who is a doctor. I’m not a doctor so don’t mistake this for medial advice.

The treatment is to use a styptic stick or pencil. They’re not as common nowadays but you can still find them in drug stores. They’ll be marketed as a way to stop bleeding if you’ve nicked yourself shaving.

You run a little water over the styptic pencil and then apply it directly to the sore. It chemically cauterizes the sore. Sometimes it stings a little bit, but not terribly so. It’s nothing compared to the hurt from baking soda or salt. You will get a pretty potent taste of citrus.

So, if you are one of the unfortunate sufferers of recurrent severe cankers and nothings seems to work, using a styptic pencil might be worth a try.

November 12th, 2007

I know I’m not like some people who get 600 hits in one day from Reddit . I’ve been told that the true measure of “getting on the map” is when spammers take notice of you. They’ve noticed my blog, probably due to my incredibly massive readership. I thought I had my blog settings to moderate comments, but I was mistaken. Sorry if any of you were exposed to some of those terrible comments over the last couple of days.

My current blogging engine is Mephisto which has built-in support for Akismet . So far Akismet has taken care of the problem. I’m getting several hundred spam comments everyday, but none are getting through. None of the comments were particularly clever, but the volume is just no fun to keep track of by hand.

My university has a content filter (Dan’s Guardian) which uses blacklists as well as phrase weighting. I hadn’t thought about it before, but one drawback of using filters on the content is that when I went to remove spam comments, the comments triggered the content filter and kept me out of my own blog when I was trying to delete those very comments. Fortunately a semester ago they allowed a bypass that logged your action and let you through. Without that safety hatch I wouldn’t have been able to rectify the situation.

November 12th, 2007

I was on the phone with my Mom and she had a document she wanted to send me.

Devlin:

Mom, you’ve got a scanner. You can email it to me.

Mom :

Laughing It would be easier for me to send it in the mail!

She’s telling the truth. Yes my mom is a very competent computer user. It’s just not easy enough. It’s not just her, it’s me too. The number of programs and such that you’ve got to get to work together is too many. The single button touch thingeroos on new all-in-ones don’t cut it. The software to listen for the scanner’s “convenience buttons” gum up the whole works, they consume insane amounts of memory and don’t ever seem to work right anyway.

It’s a sad reflection on the state of usability in software when the postal system, the POSTAL SYSTEM of all things is easier to use.

November 9th, 2007

This blog, The Daley Devlin, was almost named Half Baked. I still haven’t ruled out the possibility of renaming it. In the conversation I have with myself, my mind says that I can really write about topics that I haven’t completely worked through, but I don’t feel like I can yet. I’m OK with some fairly unpolished prose, but I haven’t been able to force myself to write about unpolished ideas. We can’t always be right. It’s OK to be wrong, as long as we learn from our mistakes, right?

October 23rd, 2007

There are two main types of authentication systems, credential based authentication and relationship based authentication.

An example of a credential based system is your driver’s license. When I present my driver’s license I am presenting a hard-to-forge token from a trusted third party, in this case the government. Since you know it is hard to forge you are comfortable accepting that it is indeed from the state of Oregon, since the biometric is printed directly on the token you are comfortable accepting that I am subject being asserted and so you accept that as identification. You don’t need to call the Oregon DMV or contact them in any way. You have the credential and can verify it with just the information available.

An example of a relationship based system is your credit card. The card itself doesn’t carry any money on it—the merchant must contact the issuer of the credit card on every transaction. The credit card is basically a note saying, “call Discover, this is my account number to ask them if I have sufficient funds for this purchase”. The merchant actually calls up Discover, asks them if I have sufficient funds and Discover says “yes” or “no”. Discover must be contacted on every transaction. Without contacting Discover, the merchant can’t verify anything.

Even though a lot of identity systems are a mixture of these two, the essence of the protocol falls into one of these two camps.

OpenID is a relationship based system. To log into a website, you present your OpenID, a url, which is basically a note telling the website who your identity provider is (you lookup the url to obtain the XRDS service document that contains this information). The website hasn’t necessarily run into this identity provider before so it must decide if it trusts it enough for what the application is providing.

InfoCards are mostly credential based. A website or service presents at login identity providers it will accept. After the user selects an appropriate card the card selector contacts the identity provider and obtains credentials. The assertions are signed cryptographically by the identity provider’s private key (hard to forge) and are given to the original website. The website verifies the assertions by checking the signatures with the identity provider’s public key.

Credential based systems:

assertions are hard to forge tokens

usually comes down to something based on the Public Key Infrastructure (PKI) (cryptography)

credentials are difficult to revoke (that’s why InfoCards limit the time assertions are valid to mitigate this)

we don’t have to contact the issuer of the credential to verify it

can work offline

performant

Relationship based systems:

assertions are just another party saying “yes” or “no”

Not dependent on PKI (although you do need to know that the identity provider is who they say they are)

credentials are easy to revoke—the next time the question is asked the identity provider says “no” and they will be asked on the next transaction

we must be able to contact the issuer on each transaction.

must be online

verification is “slower” than verifying a credential (contacting someone else is slower than just verifying locally)

PKI has been around for a long time but has not caught on with the public in general. It’s hard enough for geeks to get right. Relationship based systems are very natural, they model how a lot of things work in real life. In later posts I’ll write about some of my latest work—taking things that are possible with credential based systems but aren’t available for general use and seeing if I can tweak them into something feasible using relationships in the hopes that it could actually become generally available.

October 8th, 2007

To learn about distributed version control systems (DVCS), I’ve been using bazaar on some small projects . I know these DVCSs are supposed to really shine in multi-developer environments spread out across the world but I have found that they offer an incredibly low barrier to entry for a single developer on his own box. This is the typical situation for a college student in computer science and many others as well.

An example could help here. I’m taking a networking class where a bit of code is provided in a framework and we need to use the code for our programs.

cd lab1
bzr init
bzr add
bzr checkin -m "Initial import"

Done. This folder is now under version control.

When version control is this easy to setup and use, there’s no excuse for not using it.

October 2nd, 2007

Some time ago I went on a church mission to Brazil for two years. I didn’t know anything about Brazil or Portuguese. We have a Missionary Training Center where I was inundated with non-stop Portuguese lessons for two months. It moved so fast it was hard to remember everything but it was a good preparation. I went from no knowledge of Portuguese to two months later being dropped off in the small town of MaracajÃº, Mato Grosso do Sul, Brazil. The other missionary working with me was Brazilian leaving me three hours away from anyone who could understand me. I thought I was learning a lot in the classroom but have since found that the pace of learning doesn’t even compare to complete immersion. I don’t like to go hungry. I learned how to speak.

I’ve been in web development for a long time. Since I’m a student in computer science, I have gravitated towards making the “back-end” of web systems. At the same time I think that user experience is the most important aspect of software design. I found that even though I read a lot about it, my javascript fu was not strong enough. I could design cool, useful apps that were fully functional on the backend, but in order to code up the front I would search for javascript scripts and widgets until I found one that was similar to what I was looking for and then just tweaked it. That works for many things, but other times you can’t fall back on those tactics and must flex your own fu.

After all is said and done, more is said than done. —Aesop

Reading and talking about it aren’t enough. You’ve got to do it yourself.

I gave myself a self-imposed immersion project. I wanted something small enough that I could have some quick success (to entice myself to stick with it) but still be big enough to be interesting.

When the term Ajax first started gaining momentum Jamis Buck blogged a piece about his first Ajax app , a simple word game. The back story was that there was a technical discussion at his work about the merits of asynchronous XMLHTTPRequest versus synchronous XMLHTTPRequest. His little word game was a demonstration to his coworkers showing that asynchronous was the way to go, so that it would not lock up the browser. It was a fun little game that both me and my wife enjoyed playing now and again.

For my javascript immersion project I decided that I would try and write the entire game in javascript with no back-end at all. It was just to force myself to get out of my comfort zone.

This is implemented using the excellent jQuery library. The tasteful effects courtesy of the Interface library. The dictionary is just all the four letter words contained in the file /usr/share/dict/words on my Mac. I know, a lot of words you think should be in there aren’t (especially the short pluralized ones like tips, huts etc.). If you can get me a better dictionary I’ll glady switch.

I used jQuery and am glad I did. It takes away a lot of pain experienced in my previous forays into javascript and browser incompatibilities.

August 30th, 2007

I first heard about the Linksys WRT54G from The Pulpit of Robert Cringely several years ago. I bought it knowing that I could replace the stock firmware with an open source firmware since the firmware was based on Linux. I chickened out. I was too worried that I would make a brick of my only router.

With a little encouragement from my wife I recently took the plunge. The happy ending: everything worked flawlessly and everything has been fantastic.

Quality of Service—I thought I’d need this to give my Vonage phone priority but I haven’t had any issues with the default settings

I finally know how much bandwidth I’m using

Real time svg graphs of iChat video conference in Tomato.

The picture is of the real-time graph. You can see where the bandwidth was pushing 2 megabits for both upload/download in the video conference, and then where the other end decreased their bandwidth by sending junky low res picture. I am much more polite and vain and had to keep sending in high resolution.

August 30th, 2007

We needed a computer for our family so I just bought an academically priced MacBook. Great laptop by the way. If you buy a laptop you get a free iPod ($200 rebate). The idea was that I would get the iPod for free, then sell it and the money made would effectively reduce the price paid for the MacBook. I got a guy at the bookstore to tell me what the highest selling iPod model they had—turns out it was the Black 30GB iPod Video by quite a distance.

My first thought about where to sell the iPod was eBay. I’ve never sold anything on eBay so I have no reputation there. I ask myself, “would I buy a $200 iPod from someone who’s eBay rating is 0?” and I think, probably not. Let’s face it, with eBay the size it is I’m a small small fish. I just can’t compete with someone with a reputation rating in the thousands.

As reputation systems become more pervasive I think we will run into more problems like this. I don’t plan on selling a lot of stuff on eBay (hey I’m a poor college kid so I don’t have very much to sell anyway). Without the ability to bootstrap from another source I’m forced to build my reputation via transactions or sales. That doesn’t work so hot since I’m just interested in a one-time sale.

What to do? Go old school. I listed it on KSL.com’s online classified ads. No reputation system. No feedback mechanism. Just like the paper version of the classifieds.

There is a cost to this. I had to give my address and home phone number. These are attributes that have value to me, and like I described last post, give me some reputation as each buyers knows I have something to lose if I misbehave, giving them an avenue of recourse.

A topic for another post perhaps; there is no explicit reputation system, but my reputation is most definitely being evaluated. It’s just instead of looking at my past behavior (transactions), people have to rely more on the metadata about the transaction. This is one difficulty of automating reputation calculations/algorithms. Sometimes it doesn’t matter so much that I say “I assert I have an unused iPod for sale” than how I say it. Instead of being about “what I’ve done” (past transactions) it’s instead “who I am” (metadata about me and a transaction).

This is one way local online classifieds have a leg up on eBay; face to face meetings, actual inspection of goods gives buyers and sellers lots of metadata.

The happy ending: I guess I priced it right, and expressed enough trustworthiness in my description that after listing it at 10pm last night it sold first thing this morning.

August 23rd, 2007

Several months ago, my brother started selling his handmade leather books on Etsy.com. This was caused mostly from a failure of my part. I’m the family “web application” guy. He’s asked me several times to get him a website and I have not delivered. It’s not because I don’t want to, it’s been more an issue of lack of time since I’m in school. I was happy to see him get something up, even if it wasn’t his ideal web presence. His books are amazing and he has an incredible talent.

Now we get to the crux of the matter. Here we’ve got an online store for handmade leather goods, hosted by a reputable online “mall” (Etsy.com) but we have no sales. Etsy provides a feedback mechanism for buyers, Ã lÃ¡ Ebay. Etsy shows him that people are indeed looking at the products. But no purchases.

What’s the problem? No one knows if they should trust him. No one knows him.He has no reputation.

He has to bootstrap his reputation to get something going. I think there a couple of ways to bootstrap reputation:

Lower the risk for people who interact with you. Let their feedback start your reputation.

Get someone to vouch for you—borrow reputation from someone who is already established.

Transfer reputation from another context where you do have a reputation.

Associate attributes with your identifier that have value—so that you have something to lose.

Number 3 is currently very difficult to do online. For instance, how can I let customers know of my good Ebay rating in a way that they can reasonably know that it is my reputation and not just me trying to point to another seller? Transferring reputation from different contexts doesn’t always make sense either; just because I’m a good plumber doesn’t necessarily mean that I’ll be a good babysitter.

Number 4 is also currently difficult to do online. If I’ve got a separate account at every website, how can I claim attributes in a way that can actually be verified by another user? So what if I tell you I’m a Sun employee, how can I prove it?

3 and 4 can be related. A good reputation has value.

It usually takes some combination of approaches to get things rolling. In the case of Artisan Graham my brother used Etsy, which lent him some credibility from #2. From #1 he gave a friend a discount for an item (lowering the risk) and that person liked the product and left a rating reflecting that. That seemed to have gotten the ball rolling—people who had been browsing felt sufficiently confident that the store was real to place some orders. They left good feedback and now he’s had over 80 transactions with a 100% satisfaction rate. I told you he made good stuff.

This is when I realized that Etsy (and Ebay for that matter) was providing much more than payment processing. They offer a trusted source for reputation to buyers and a way for sellers to build reputation.